Threat Management, Threat Intelligence, Threat Management

Palo Alto: ‘Dark Seoul’ strikes again


The mysterious group behind the 2013 cyber attacks that crippled South Korean news stations, financial institutions, and government websites is likely the same attacker behind malware that appeared in Europe recently, according to Palo Alto Networks.

A blog post written by Palo Alto threat intelligence analysts Bryan Lee and Josh Grunzweig, said WildFire, the company's private cloud detection product, discovered the recent attacks and while the team could not confirm that it was staged by the same attackers, code samples “closely resembled several of the attributes of the South Korean attacks” and demonstrated behavior similar to the earlier attacks, the researchers wrote.

The malware was discovered by Sophos in 2013. McAfee provided additional research on the malware in June 2013, renaming Operation Troy. McAfee identified two groups that it believed to be responsible for the attacks: NewRomanic Cyber Army Team and The Whois Hacking Team. Both groups were believed to be state-sponsored groups.

The recent malware was installed via video player software, and are believed to have been contaminated during production by a company in the industrial control systems sector.

Although South Korea's contentious relationship with its northern neighbor made North Korea a likely suspect, researchers ruled out North Korea shortly after the attack.

The 2013 malware wiped hard drives of an estimated 32,000 computers that were infected with destructive malware.

The recent attacks do not show “evidence of destructive functionality” in the earlier South Korean attacks, but “the malware is capable of downloading additional components,” the researchers wrote. The malware may implement computer-wiping functionality at a later time.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.